Adding MySQL TLS Functionality


I’m working on adding TLS support for MySQL in the Zeek master branch. Our mysql.log is filling up with a lot of encrypted TLS traffic which isn’t overly helpful to us. Rather than ignore this log entirely, I’d like to just add TLS handshake functionality to the analyzer.

I found that there’ a Client_Capabilities enum type within the MySQL Analyzer that I’ve added the CLIENT_SSL bitmask to, which seems to compare against the right bits in the initial handshake.

However, when I try to create a new TLSHandshake() function in to call when this type of handshake is detected, similar to how the IMAP analyzer’s StartTLS function, I can’t quite get it to compile:


Seems like you just need to cast:


That is, bro_analyzer() returns an analyzer::Analyzer*, which is the
base class that has no TLSHandshake() method, thus the compiler error.

- Jon

Thanks for the reply!

I’m now getting this error:

You may need to shuffle some of the header includes around, see if the
attached patch helps.

I also had a typo in the example cast, it should have been casting to
a pointer-type with '*', like:


- Jon

mysql-analyzer.patch (1.09 KB)

That worked, thanks! It’s compiling now.


So now that it’s compiling, I’m able to work further on this. I was successful in generating ssl.log for SSL connections. However, I’m running into some logic issues where ALL connections are getting flagged as being SSL-enabled handshakes. I’ve narrowed it down to the logic where msg.v10_response.client_ssl is being set to true for both SSL-handshake and non-encrypted connections. This boolean is being generated from:

client_ssl: bool = $context.connection.set_client_ssl(cap_flags & CLIENT_SSL);

Looking at the MySQL documentation, I see that the CLIENT_DEPRECATE_EOF matches correctly:
with the MySQL Documentation (0x01000000) (

I’ve appended the CLIENT_SSL (Value 0x00000800) to the enum type, which is bitmasked against the Handshake_Response_Packet_v10.cap_flags (uint32) record.

When I printf() the msg.v10_response.client_ssl here::

function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool

if ( mysql_handshake )
if ( ${msg.version} == 10 && ${msg.v10_response.client_ssl}) {
fprintf(stderr, “%u\n”,${msg.v10_response.cap_flags});

I’m seeing the value of 4026597376 set for this variable when I use the zeek cli to parse my MySQL SSL-handshake PCAP. The value that is being returned for this field between Zeek and Wireshark are very different. This is for the same connection:

Zeek returns:
4026597376 (1111 0000 0000 0001 0000 0000 0000 0000)

Wireshark shows:
(Client Capabilities section)
1010 1010 10000 1101

(Extended capabilities section)
0000 0001 1011 1111

I think I’m comparing what should be the same fields. Let me know any of these steps don’t seem right.

Thanks for the help!